-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2011 12:33 PM, Bernhard M. Wiedemann wrote:
On 07/28/2011 11:59 AM, Dinar Valeev wrote:
/usr/lib/build/lxc.conf :
# allow to create any device nodes - but not access lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m # /dev/pts/* lxc.cgroup.devices.allow = c 136:* rw lxc.tty = 1
Is this secure?
I understood the lxc config format to have "rw" for read+write access to devices but the top two lines only have the "m" flag to allow only mknod - unluckily man lxc.conf does not tell. The lower two lines _could_ allow access to the host's pseudo terminals. Not sure how dangerous that is.
I did some more researching. The first lines are secure: lxc-start -n build-root -- /bin/mknod /tmp/devnode c 199 199 lxc-start -n build-root -- /bin/cat /tmp/devnode /bin/cat: /tmp/devnode: Operation not permitted the pts devs did get to the host, so could be problematic, but this stopped when I added to lxc.conf: lxc.pts = 1024 but since I am not much into LXC, this might break other things. I also noticed that when building with LXC, the live log stops early after copying packages... reordering... and when you click "Start Refresh" you see that a new log was started at: processing specfile /.build-srcdir/binutils.spec Ciao Bernhard M. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk42OMMACgkQSTYLOx37oWTZggCg2MTFImB9kG6Uy7nsuyFzWAai YEgAnAgySnMP0kj2JY7rhh+/289mEInd =cecq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org